Connecticut Obamacare exchange suspends worker in data breach

A Connecticut Obamacare exchange worker has admitted to taking personal information about enrollees out of the office, information that was found in a backpack left on a Hartford street last week, officials said.

The worker, an employee of the exchange's call center vendor Maximus, has been suspended as officials continue investigating the breach related to about 400 insurance plan enrollees. It is believed to be Obamacare's first-ever breach of enrollees' personal data.

"While we are still working to understand exactly why this person took the information out of the building, based on what we have learned so far, it does not appear there was malfeasance on the part of this person," said Jason Madrak, chief marketing officer of the Access Health CT exchange.

Maximus, in its own statement Monday, said that an investigation "has led us to believe that this was an incident where there was no malicious intent."

"At this time, Maximus has no reason to believe that any of the information in the backpack has been misused," the company said.

Source: Access Health CT | Facebook

Access Health CT has scheduled a 2 p.m. ET press conference Monday to provide an update about the situation.

Officials last Friday revealed that earlier that day a backpack was found on Trumbull Street in downtown Hartford, the same street where Access Health CT's offices are located.

Inside the backpack were four notepads containing "a combination of handwritten names, Social Security numbers and birth dates for approximately 400 individuals," said Madrak. He said that fewer than 200 Social Security numbers were on the pads.

"The owner of the backpack came forward on his own, after hearing about the discovery of the backpack on local TV news on Friday evening," Madrak said.

"As the investigation continues, this individual has been placed on administrative leave and has had all system access privileges revoked," he said.

The notes found on the pads are consistent with the kind that are sometimes made by call center representatives when they service clients in the enrollment process, according to Madrak.

Chipping away at Obamacare

Discussing the likelihood those without health insurance will pay the Obamacare mandate tax, with Avik Roy, Manhattan Institute senior fellow.

"However, it is expressly prohibited for this information to leave the call center office in any way, shape or form," Madrak said. "Access Health CT senior management will be meeting with senior Maximus representatives on Monday morning in Hartford to continue the investigation and determine any actions necessary to ensure this does not occur again."

The exchange is now calling people whose information was on the employee's notepads, and is offering them, at no cost to them, credit monitoring, fraud resolution, identity theft insurance, and security freezes of credit reports, Madrak said.

"We are sorry this happened, and we are working to rectify as quickly as possible, as well doing whatever is necessary to try to prevent it from happening again," he said.

In its prepared statement, Maximus said, the company "takes full responsibility for this incident, and we regret any concern that this has caused Access Health CT consumers. Protecting citizens' private information is our No. 1 priority, and we will be notifying all affected individuals to offer them free fraud prevention services to help ensure peace of mind."

"We are also reinforcing security and training policies and procedures to help ensure that this does not happen again."

Maximus also said the company conducts criminal background checks for prospective employees, and also trains workers in handling personal data.

"The person involved in this incident had cleared all required background checks and training before beginning work in the Access Health CT customer contact center," Maximus said. "The team member violated company policy, which strictly prohibits the removal of personal data."

Connecticut's Obamacare exchange is considered to be among the most successful of all the government-run Affordable Care Act marketplaces. Those exchanges enroll people in private health insurance plans and screen people for Medicaid eligibility as part of the law's mandate that nearly all Americans obtain some form of health coverage this year or pay a fine.

In February, the exchange's CEO, Kevin Counihan, said Access Health CT would look to franchise its exchange platform to other states.

Maryland, whose own exchange badly floundered during Obamacare's open-enrollment period, plans to use Connecticut's exchange system to replace its own.